Hello,
Are you running all the latest Microsoft updates and security patches on the machine?
I have seen W32.Changeup causing this behaviour. It hides folders on a network share or removable drive and creates a rogue executable with the same name, and also creates an autorun file. The virus has been around a while and SEP catches it, but there is a chance that a recently coded variant is not yet recognised by current definitions.
Check this Article:
W32.Changeup keeps on giving
https://www-secure.symantec.com/connect/blogs/w32changeup-keeps-giving
Plan of Action:
- Run a scan in safe mode with networking to remove the virus. (Make sure SEP is updated with the Latest definitions)
- Disable System Restore before you do this as the virus alse creates entries in the System Restore Points store volumes.
- Disable Autoplay for ALL DRIVES Via a GPO (If you're on a domain), and
- Disable SImple File Sharing if it's enabled to prevent the infection from propogating itself by binding to files.
- Secondly, Submit these files to the Symantec Security Response and they will get detected. https://submit.symantec.com/essential
We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.
Check this article:
Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.
https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante
Hope that helps!!